Multiple SQL injection attempts is missing defined rules

[kaiwoe]

Rule ID 31152 is only fired on a single SQL injection attempt rule (ID 31103)

 <rule id="31152" level="10" frequency="8" timeframe="120">
    <if_matched_sid>31103</if_matched_sid>
    <same_source_ip />
    <description>Multiple SQL injection attempts from same </description>
    <description>source ip.</description>
    <mitre>
      <id>T1055</id>
    </mitre>  <group>attack,sql_injection,pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.1,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
 </rule>

But in the ruleset is more than one sqlinjection rule defined. For example:

 <rule id="31170" level="6">
    <if_sid>31100</if_sid>
    <url>%2csleep|sysdate()|nslookup%20dns.sqli</url>
    <description>SQL injection attempt.</description>
    <group>attack,sqlinjection,pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.1,gdpr_IV_35.7.d,</group>
  </rule>

  <rule id="31171" level="6">
   <if_sid>31100</if_sid>
   <url>select%20|insert%20</url>
   <description>SQL injection attempt.</description>
   <group>attack,sqlinjection,pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.1,gdpr_IV_35.7.d,</group>
  </rule>

This will result in some sql injection attempts are not beeing correlated.
A solution could be to replace if_matched_sid with if_matched_group:

<if_matched_sid>31103</if_matched_sid>
<if_matched_group>sqlinjection</if_matched_group>

Wazuh Version:

/var/ossec/bin/wazuh-control -j info
{"error":0,"data":[{"WAZUH_VERSION":"v4.3.7"},{"WAZUH_REVISION":"40320"},{"WAZUH_TYPE":"server"}]}